Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    1. Home
    2. pfSense® Software
    3. IPsec
    Log in to post
    • Newest to Oldest
    • Oldest to Newest
    • Most Posts
    • Most Votes
    • Most Views
    • Z

      Mobile VPN routing to local network
      • Zottelmann

      1
      0
      Votes
      1
      Posts
      105
      Views

      No one has replied

    • R

      Best solution Road warrior to IPSec SITE toSITE
      • Riccardo Prandini

      2
      0
      Votes
      2
      Posts
      111
      Views

      R

      The 1 step was to push this config to clients, so the packet on VPN ipse is routed inside the Open VPN tunnel

      alt text

      Under local networks there are :

      Lan,
      the remote net identified in phase2 n.1
      the remote net identified in phase2 n.2

    • B

      Running two IPSEC tunnels between two multi-wan sites
      • bp81

      2
      0
      Votes
      2
      Posts
      174
      Views

      jimp

      You can't do that with policy-based tunnels.

      You have two choices:

      Keep the policy-based tunnels and setup Dynamic DNS and gateway groups on both sides so that if a WAN fails, the switches the hostname and single IPsec tunnel to the other WAN. This works, but takes a long time to switch since it relies on DNS (several minutes, most likely) Ditch the policy-based tunnels and use VTI. Configure two tunnels (1.1.1.1<->3.3.3.3, 2.2.2.2<->4.4.4.4) and use FRR with either OSPF or BGP to handle the routing. When setup properly, dynamic routing protocols are smart enough to detect when a path is down and use the other alternate path in a timely manner.
    • R

      VPN SITE to SITE with NAT
      • Riccardo Prandini

      6
      0
      Votes
      6
      Posts
      386
      Views

      R

      Strange i had to add a rule tha is not generating any traffic.

      alt text

      it is not generating any traffic but a big amount of evaluation.

      I'll try later to disable it.

      Other params are ok.

    • T

      Poor performance Starlink/IP6 endpoint routing ip4
      • timboau 0

      5
      0
      Votes
      5
      Posts
      258
      Views

      T

      In the end I switched over to WireGuard - smashing it in around 6-8 MB/s. Tried everything with IPSec but gave up. I think I might have to investiage Wireguard further and switch the other VPNS over too.. The WireGuard seems to really forgiving of the StarLink latency/dropped packets.

      Here is a file copy from a remote server to local along with 20x robocopy in the background doing file compares (no actual transfers)

      FC.JPG wg.JPG

    • B

      Possible bug report
      dns resolution ipsec • • bp81

      2
      1
      Votes
      2
      Posts
      170
      Views

      B

      @bp81 I believe we have found the resolution, and I wanted to post it here for anyone else encountering the issue.

      In our DNS forwarder, we had a domain override set for our company's domain. This is the same domain in the hostname for the remote gateway listed above. The domain override was pointing at a DNS server that is not accessible without the tunnel up. Clearly this was causing the IPSec service to fail repeatedly to establish its tunnel.

      So there was a misconfiguration on our part which we have fixed. I still maintain that it's a bug if the ipsec service causes the web gui to crash / become unresponsive even when it's a self induced failure state due to misconfiguration. I understand it's possible this may be a limitation of the ipsec service, but it is worth looking at even if it is an edge case.

    • S

      Pfsense Ipsec vs palo Alto
      • scorpoin

      1
      0
      Votes
      1
      Posts
      125
      Views

      No one has replied

    • J

      Traffic with NAT/BINAT translation via IPsec
      • jonnyp1

      1
      0
      Votes
      1
      Posts
      130
      Views

      No one has replied

    • N

      No Obvious Ipsec errors, but no connection either. Fortinet -> Pfsense Ipsec
      • namek

      4
      0
      Votes
      4
      Posts
      3384
      Views

      P

      Bonjour,
      je rencontre actuellement le meme probleme entre un pfsense et un fortinet. J'ai appliqué les propositions de gerdesj (hormis le reboot coté fortinet).
      Pour le moment le probleme persiste.
      Si quelqu'un a une idée.
      Merci

      Hello,
      I currently encounter the same problem between a pfsense and a fortinet. I applied the proposals of gerdesj (apart from the reboot on the fortinet side).
      For the moment the problem persists.
      If someone has an idea.
      Thank you

      Oct 11 09:46:30 charon 55488 06[NET] <con100000|1> sending packet: from 10.10.10.254[500] to 84.14.183.243[500] (336 bytes)
      Oct 11 09:46:30 charon 55488 06[IKE] <con100000|1> retransmit 1 of request with message ID 0
      Oct 11 09:46:30 charon 55488 06[CFG] ignoring acquire, connection attempt pending
      Oct 11 09:46:30 charon 55488 06[KNL] creating acquire job for policy 10.10.10.254/32|/0 === 84.14.183.243/32|/0 with reqid {1}
      Oct 11 09:46:29 charon 55488 06[CFG] ignoring acquire, connection attempt pending
      Oct 11 09:46:29 charon 55488 06[KNL] creating acquire job for policy 10.10.10.254/32|/0 === 84.14.183.243/32|/0 with reqid {1}
      Oct 11 09:46:28 charon 55488 07[CFG] vici client 2 disconnected
      Oct 11 09:46:28 charon 55488 07[CFG] vici client 2 requests: list-sas
      Oct 11 09:46:28 charon 55488 07[CFG] vici client 2 registered for: list-sa
      Oct 11 09:46:28 charon 55488 07[CFG] vici client 2 connected
      Oct 11 09:46:26 charon 55488 06[NET] <con100000|1> sending packet: from 10.10.10.254[500] to 84.14.183.243[500] (336 bytes)
      Oct 11 09:46:26 charon 55488 06[ENC] <con100000|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Oct 11 09:46:26 charon 55488 06[CFG] <con100000|1> sending supported signature hash algorithms: sha256 sha384 sha512 identity
      Oct 11 09:46:26 charon 55488 06[CFG] <con100000|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Oct 11 09:46:26 charon 55488 06[IKE] <con100000|1> IKE_SA con100000[1] state change: CREATED => CONNECTING

    • G

      No Gateway added for remote IPSEC endpoint
      • gyterpena

      2
      0
      Votes
      2
      Posts
      454
      Views

      G

      This was solved by missing GW on WAN interfaces

    • J

      Possible UI issue in Status -> IPsec -> Overview
      • Jonny

      3
      0
      Votes
      3
      Posts
      255
      Views

      J

      Ah, didn't spot this yesterday when I looked

      https://redmine.pfsense.org/issues/11910

      This can be considered solved I think.

    • J

      This topic is deleted!
      • JonnyDy

      1
      0
      Votes
      1
      Posts
      67
      Views

      No one has replied

    • P

      Does PFSense log L2TP user creation time/date?
      • prewest

      1
      0
      Votes
      1
      Posts
      202
      Views

      No one has replied

    • R

      ArcServeUDP Replication over IPSec Site-to-Site issue
      • RNSI_Tech

      1
      0
      Votes
      1
      Posts
      196
      Views

      No one has replied

    • P

      IPSec Remote Desktop Connection failing to Domain Controller
      • pickupman

      1
      0
      Votes
      1
      Posts
      195
      Views

      No one has replied

    • S

      win10 ipsec/ikev2 smartcard to pfsense fails - EAP method EAP_TLS failed for peer
      • siegmarb

      2
      0
      Votes
      2
      Posts
      289
      Views

      S

      Just for the record. Just loaded the cert onto a Yubikey 5 hardware smartcard. Same error/result.

    • J

      After upgrading to 21.02 IPsec pfSense to SonicWall won't stay connected
      • jwrb18

      12
      0
      Votes
      12
      Posts
      815
      Views

      O

      @mmapplebeck Hello.
      Have you solved the reconnection issue?
      I have updated Pfsense to version 2.5.2. I have check and confirm all data from site A to site B. I have reduce the time to reconnected and that aliave some trouble but not fix it. Too I have enable and set MSS to 1400.
      Every day one of my tunnels is blocked. It doesn't seem to renegotiate the connection well. After terminate one of the Phase 1 zombie connections, the communication is reset.
      Also another tunnel connection fails time to time and I have to disable it for any of the Phase 2 to work again.

    • P

      IPsec can't reach endpoints behind firewall
      • prm

      1
      0
      Votes
      1
      Posts
      216
      Views

      No one has replied

    • J

      IPSEC behind ISP router
      • jpattard

      4
      0
      Votes
      4
      Posts
      333
      Views

      J

      @elvisimprsntr The router is a TP-Link load balancer that does the connection to the ISP, I tried The Port Forwarding UDP/TCP 500 (Virtual Servers) to the pfsense IP Address but same issue...

    • G

      IPSEC pfsense and fortigate: could not decrypt payloads
      • GB13

      2
      0
      Votes
      2
      Posts
      415
      Views

      jimp

      Your pre-shared key does not exactly match the key at the far side.

      https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec.html#phase-1-pre-shared-key-mismatch

      If it works sometimes and not others, it may be that it only works when initiating in one direction. It could still be a problem with the key, but perhaps something more subtle like an extra space at the start/end that is ignored when checking on one side but not the other.

    • B

      High CPU load (100% on one core) when enabling Phase 1
      • b_chris

      10
      1
      Votes
      10
      Posts
      2891
      Views

      jimp

      @michelz said in High CPU load (100% on one core) when enabling Phase 1:

      Disable properly means IPSec won't need it and won't have these errors in the log?

      Correct. When disabled with the patch, references to that daemon and/or its services are not present in the IPsec configuration, so the errors will not happen.

    • K

      IPSec Mobile Client from both Outside and Inside
      • keyser

      3
      0
      Votes
      3
      Posts
      283
      Views

      K

      @keyser Updated: It actually works if your IPsec is running in tunnelmode and you make sure to resolve the vpn endpoint name to the public IP on the WAN interface, from the inside as well :-)

    • P

      IKEv2 client VPN: unexpected no proposal match
      • PetrH

      3
      0
      Votes
      3
      Posts
      367
      Views

      P

      @jimp Great, thanks for the hint. I was thinking the right direction, but missed the setting. I look more thoroughly again and found it.

    • J

      Shrewsoft IPSEC tunnel ok but unable to reach remote gateways
      • jafdza4

      1
      0
      Votes
      1
      Posts
      205
      Views

      No one has replied

    • D

      IPsec tunnel from remote site, need to pass VLAN traffic for phones?
      l2tp vlan ipsec voip vpn • • djohnson

      2
      0
      Votes
      2
      Posts
      349
      Views

      R

      @djohnson
      This is a late reply but it may assist someone else in future.
      The VOIP audio traffic (RTP) require separate UDP ports to be open. The exact range will vary depending on your VoIP system.

      Hence, if the RTP ports are not open, you can experience a "working" system, but with a complete lack of audio.

    • A

      VPN IPSEC start connecting but link not etablishing
      • Aymeric

      1
      0
      Votes
      1
      Posts
      286
      Views

      No one has replied

    • N

      IPSEC tunnel suddenly stopped working
      • nick.loenders

      1
      0
      Votes
      1
      Posts
      232
      Views

      No one has replied

    • A

      awfull VPN speed
      • AxelTwin 0

      1
      0
      Votes
      1
      Posts
      258
      Views

      No one has replied

    • X

      IPSec 2 remote sites cross communication
      • xbipin

      1
      0
      Votes
      1
      Posts
      219
      Views

      No one has replied

    • C

      IPsec/IKEv2/EAP-TLS VPN - IPv6 traffic not flowing
      • ChrisJenk

      1
      0
      Votes
      1
      Posts
      222
      Views

      No one has replied

    • D

      Allow device from vlan A to connect over ipsec to device in vlan B
      • DonZalmrol

      5
      0
      Votes
      5
      Posts
      462
      Views

      D

      This looks indeed not possible to do.
      Post may be locked.

    • J

      Unable to replace the certificate for mobile clients.
      • JonnyDy

      3
      0
      Votes
      3
      Posts
      357
      Views

      J

      @jimp Thanks to! Changed to TLS Web Server certificate, error disappeared.

    • F

      Fritzbox LTE IPSec Tunnel for community edition 2.5.2
      • flandwehr

      1
      0
      Votes
      1
      Posts
      208
      Views

      No one has replied

    • Y

      VPN connect successfully but some local IP couldn't ping to.
      • yoddp

      2
      0
      Votes
      2
      Posts
      342
      Views

      Y

      anyone?

    • E

      How to avoid sending of the extended sequence number
      • EpesiSupport

      1
      0
      Votes
      1
      Posts
      207
      Views

      No one has replied

    • D

      IPSec IKEv2 EAP-TLS with multiple mobile connections
      • daystrom_matthew

      5
      0
      Votes
      5
      Posts
      345
      Views

      D

      @jimp Thanks again!

      I'll have a look into a way of automatically deploying the certificates per user, per device then. I have a CA external to pfSense I can leverage for that.

      This will let me get the core users we need going in the meantime.

      Have a great day
      Matt :)

    • D

      1st time user whit IPsec and Pfsense disconnecting issue
      • damien_c2

      1
      0
      Votes
      1
      Posts
      265
      Views

      No one has replied

    • J

      1 out 2 IPSEC connections drops after random time.
      • jacoventer

      6
      0
      Votes
      6
      Posts
      469
      Views

      S

      @walid-0 said in 1 out 2 IPSEC connections drops after random time.:

      If you only get disconnected in phase2 please use IKEv1 instead of IKEv2 this will enable reauthentication and the phase2 will renew every time the life time reach to 90%

      Even if this worked, I don't know that I would suggest using IKEv1 to resolve it. IKEv2 provides many benefits over the IKEv1, but a failed child SA is just a miss configuration and should be fixable.

    • D

      What became of the Mutual RSA auth option?
      • dross

      4
      0
      Votes
      4
      Posts
      360
      Views

      jimp

      The document I linked has all the information you'll need to get it working properly.

    • M

      Phase 2 Established Only From pfSense Side
      • Mattman

      1
      0
      Votes
      1
      Posts
      217
      Views

      No one has replied

    • undefined


      •


      Votes

      Posts

      Views